After one of the most tumultuous years in recent history, it’s necessary that we take the time to consider what data privacy means in the new context we find ourselves in. With more consumers relying on online services to do everything from their weekly shop to socialising, and more businesses migrating operations into the cloud to support working from home, it’s clear that the integrity of data is more important now than it ever has been.
Initiated in 2007, Data Privacy Day stands as a reminder to consumers, communities and businesses of the importance of protecting the privacy of both the data they own, and the data to which they access to on a daily basis. What security practices and policies should we focus on in this new digital environment? In this article, we ask the experts for advice.
Businesses need to ‘Respect Privacy’
“Cybercriminals’ methods for attacking businesses now make heavy use of social engineering, and the COVID-19 pandemic has only served to intensify and embolden these efforts. F5 Labs’ recent Phishing and Fraud Report found that phishing attacks increased by 220% at the height of the global pandemic in 2020 compared to the yearly average.
This year’s bid to encourage businesses to ‘Respect Privacy’ for Data Privacy Day is a vital one. While there is an important part for the individual to play in ensuring they protect their personal information online, companies must recognise the responsibility they have to uphold the trust of customers and safeguard data effectively.” David Warburton, Senior Threat Evangelist, EMEA, F5
Invest in technology to sensor critical data
“It’s easy to get personal and sensitive information from contact centre databases if they are not properly managed and secure. It is crucial that businesses take the appropriate steps to ensure their customers are protected with the appropriate technology solutions to work alongside their agents.
For example, when a customer needs to cite their credit card number over the phone, businesses can invest in technology that sensors the information both in live conversations as well as in recordings. Systems may even temporarily transfer the customer to an automated service line so that no human agent is privy to the information in order to mitigate insider threats.” – Neil Hammerton, CEO and Co-founder, Natterbox
Take a holistic approach to privacy and security
“It’s easy for companies to fall into the trap of taking a ‘respond to the next compliance law’ approach. But those that do often go through more pain having to implement controls that address each variation of the data privacy laws that are now being enforced worldwide.
Businesses should instead take a holistic approach to privacy and security – combining a bottoms-up discovery and assessment with a top-down vision of addressing the root constructs of each privacy and security law. This Data Privacy Day, senior management needs to commit to this approach if their companies are to maintain the security of their customers’ data and be successful with privacy regulation.” Simon Johnson, General Manager, UK and Ireland, Freshworks
Define your disaster recovery strategy
“If a data breach occurs, IT teams will need to locate and close any vulnerabilities in IT systems or business processes and switch over to Disaster Recovery arrangements in case the data has become corrupted. An organisation’s speed and effectiveness of response will be greatly improved if it has the results of a Data Protection Impact Assessment (DPIA) that details all the personal data that an organisation collects, processes and stores, categorised by level of sensitivity.
If companies are scrambling around, unsure of who should be taking charge and what needs to be done, then the damage caused by the outage will only be intensified. To demonstrate true resilience, Business Continuity Plans must be triggered quickly and effectively, with a dedicated executive Crisis Management Team to lead the way through a crisis.” Chris Huggett, SVP EMEA & India, Sungard AS
Update your firmware
“Being mindful of the security and privacy of your data is not just about being wary of phishing attempts and malicious websites. Attackers can easily get into your home network through taking advantage of out-of-date firmware on internet routers.
Firmware is the software that your router runs on, and old firmware contains many widely-known, easily compromised security vulnerabilities, so it’s important to keep it regularly updated. Making sure your router is up-to-date not only reduces the risk to your own personal information and devices on your home network, it also helps safeguard against attacks on your employer that might inadvertently come via your home network.” Nir Chako, Security Research Team Leader, CyberArk
Leverage cloud platforms with strong encryption
“The COVID-19 outbreak and associated stay-at-home restrictions has dramatically increased companies’ reliance on the cloud. To continue business as usual, companies moved many agents to home offices and set up their contact centres in the cloud. Increasingly, contact centre managers recognise how cloud technology can also help navigate security and compliance challenges.
With a cloud platform that maintains strong encryption, logical isolation, stringent multi-tenant security standards and key industry certifications, you can more easily comply with the appropriate regulations. By ensuring that you protect customer data, you’re also protecting your business — financially and legally.” Bill Dummett, Chief Privacy Officer, Genesys
Augment the ability of human employees handling of sensitive data with AI
“Gartner has predicted that privacy-enhancing computing will be one of the main drivers of change that we will see in 2021. For customer-facing organisations across finance, banking and insurance industries – and increasingly healthcare and MedTech too – capturing sensitive customer and patient data is now essential for defining business needs. But the failure to securely manage customer data can have costly and damaging implications.
In many regulation-heavy industries, like banking and insurance, we’re seeing an uptick in the number of organisations deploying AI-powered digital employees to augment the ability of human employees handling of sensitive data. Trained to follow specific rules and processes, and quickly adaptable to comply with new regulations, digital employees can act as whisper agents to guide human employees through processes that are fraught with privacy risks to help reduce any chance of human error and prevent the unauthorised sharing of data.” Faisal Abbasi, MD UK&I, Amelia (an IPsoft company)
Educate individuals on cyber threats and their data footprint
“Phishing remains one of the biggest threats to data privacy. According to data from Atlas VPN, at least 2 million new phishing websites were registered in the first 10 months of 2020, a 20% increase on 2019. This indicates attackers doubled down on the tactic during the pandemic – unsurprising given 97% of people are reportedly unable to identify a sophisticated phishing email.
More often than not, mitigating phishing and maintaining data security comes down to humans’ own behaviours. Educating individuals on cyber threats and their data footprint remains essential, and there are numerous virtual and physical training courses businesses can tap into. These help individuals not only improve their online habits at work, but also in their personal lives too, and raise awareness of data privacy.” Mark Belgrove, Head of Cyber Consultancy, Exponential-e
Check your business is GDPR compliant
“GDPR has remained a regulatory priority despite the UK’s Information Commissioner’s Office (ICO) saying it would take a softer approach with non-compliant companies due to the pandemic. In fact, recent data suggests that fines increased by 40% last year meaning businesses need to remain vigilant even during times of economic uncertainty.
Customer trust, data privacy and transparency go hand-in-hand, so companies need to make sure they have processes in place that can document what information is being stored and where, and make it available to both customers and the regulatory body that is overseeing them. Regulations such as GDPR exist to ensure that both businesses and customers are comfortable with data sharing and trust the idea of working within digital experiences.” Chris Stennett, Global VP Business Value & Strategy, Sitecore
Protect public data as a force for good
“Be it personal banking details or mRNA vaccine codes, all data now has a valuable price, making data privacy all the more important. Through increasing innovation, we’re getting better at protecting that data and using it as a force for good. This is improving citizen trust at a time when the pandemic is fuelling government reliance on data to get critical information and services out to the general public.
A fundamental focus on data privacy is critical for maintaining this trust and helping citizens to understand the benefits that come with sharing their data. Without it, innovation will stall, data will be kept in silos and efficient service delivery will collapse. Once the mutual benefits are not only acknowledged but also understood, we can really allow government organisations to transform and improve all of our lives for the better.” Liz O’Driscoll, Head of Innovation, Civica
Build confidence around ethical data sharing
“The last 12 months has shone a bright light on the usefulness and importance of using health data to improve patient care and accelerate medical research. But there are significant challenges too, such as concerns about surveillance, the ability to keep health data and records private, and how they’re used by third parties.
Despite concerns, there are clear benefits in collecting and using ethically sourced real-world evidence, whether directly from hospitals or remote devices being used as home. Remote patient monitoring in particular will become an even bigger trend this year as in person doctor-patient visits reduce. Understanding how individuals are affected by diseases or react to drugs, and how this may differ from person to person, can help to inform research, and eventually improve or save lives. That being said, there must also be buy-in from patients willing to use these devices, share their data and allow it to be used in R&D. Without willingness to share data, coupled with the transparency from organisations using it, innovations like remote patient monitoring, wearable medical devices and drug development will simply not work as effectively.
As a result, healthcare institutions have an ethical duty to make patients feel confident and comfortable to share data with the healthcare and pharma industry to support medical research and drug discovery, and organisations must take every effort and provide the reassurance that they are able to protect patient’s anonymity.” Alan Payne, Chief Information Officer, Sensyne Health
Visualise and manage access to data
“Data Privacy Day is also a timely reminder to take a look beyond the usual access controls, and think about how analytics could be used to support with compliance. Analytics programmes can help IT teams visualise and manage who has access to what information and if that remains relevant to their role.
For instance, this could be through bringing together disparate data sets on user access controls and HR lists of leavers, starters and changers to ensure that there are no anomalies where people retain access to information that is no longer appropriate to their role. This helps businesses introduce real intelligence into the management of data privacy to reduce the risk of human error and streamline processes for IT teams.” Adam Mayer, Senior Manager, Qlik